Extremely potent malware delivered immune to most cybersecurity (opens in new tab) measures, was discovered infecting high-profile Chinese individuals.
Kaspersky cybersecurity researchers have discovered malware they call WinDealer, distributed and used by a Chinese Advanced Persistent Threat (APT) actor named LuoYu. WinDealer, the researchers say, is capable of collecting “an impressive amount” of information. It can view and download any files stored on the device, as well as perform a keyword search on all documents.
To deliver malware to the target endpoint (opens in new tab)attackers carry out a man-on-the-side attack, essentially hijacking network traffic in transit.
Race with the server
When the victim tries to access a certain resource on the internet (for example, open their LinkedIn account), they need to send a request to the server, to open the page. This request is the kind of traffic that attackers can intercept and read and then try to deliver malicious content before the server responds with the legitimate website.
Kaspersky describes the method as a “race” with the legitimate server, the only difference being that the attacker has as many attempts to deliver malicious content as he wants. To successfully infect a target endpoint, the attacker does not need any interaction with the victim.
The targets are primarily high-profile organizations and individuals in China, the researchers say. Foreign diplomatic organizations established in China, members of the academic community, defense, logistics and telecommunications companies are listed as potential targets. In addition to China, Kaspersky researchers also mentioned targets in Germany, Austria, the United States, the Czech Republic, Russia and India.
All targets are using Windows as their operating system of choice.
In addition to being difficult to detect, malware (opens in new tab) it is also difficult to block. Typically, this type of malware contacts a command and control (C2) server for instructions, and simply blocking the server’s IP address would be enough to neutralize the threat. WinDealer, on the other hand, has a complex algorithm that generates IP addresses (48,000, says Kaspersky), making blocking impossible.
The only way to defend against this attack is to route traffic through another network, for example with a VPN. However, having a VPN in China is easier said than done.